Lately, a lot of security industry discussions have been focused on PCI DSS (Payment Card Industry Data Security Standard). The conversation ranges from practical advice on “how to get compliant” all the way to branding PCI as a devilish invention (Google for “PCI is the devil”). Fiery debates aside, PCI DSS guidance helped countless organizations to see the light of security where there was none before. It goes without saying that it didn’t magically make them “become secure” – no external document can.

One of the frequent criticisms of PCI focuses on the misguided view that “PCI is all about passing an ‘audit’.” Many people would be surprised to find out that PCI DSS lists specific tasks that you have to be doing all the time – NOT just before the assessment. This article focuses on the exact steps organizations must take to actually stay compliant and not just pass validation via scanning, on-site assessment or self-assessment questionnaire (SAQ).

Indeed, very few experts will actually tell you how to STAY compliant and not just how to GET compliant. Recent cases of massive card data breaches at companies that were at one point validated as PCI DSS compliant show that staying compliant is much harder than getting compliant. Security benefits of PCI DSS are not realized just because an assessor in a fancy suit tells you that are “validated as compliant.” Such benefits are there if you are “doing PCI” and “doing security” every day (yes, PCI does include daily tasks for you to do!). By the way, if you are trying to use PCI DSS to launch your security program, this resource would be a useful guide: http://chuvakin.blogspot.com/2009/10/my-fun-pci-webcast-on-oct-27-2009.html

Despite the above focus on “getting compliant,” some security vendors preach the theme of “ongoing compliance.” In fact, they’ve been doing that literally for years. Of course, the “ongoing compliance” theme is awesome. Sadly, a majority of the same vendor customers don’t do it like this (to their own loss – this why it is sad). They still have assessment-time rush, “pleasing the QSA” approach and a “checklist-oh-we-are-DONE” mentality. We can conclude that before one wants to “sell” a continuous compliance concept, one needs to educate the audience first.

To top it off, achieving 100% PCI compliance for validation gets much more resources at corporations compared to maintaining 100% PCI compliance.

In light of the above discussion, a lot of people are surprised that the PCI DSS document itself contains a list of tasks to perform to maintain compliance between assessments. The table below shows these periodic tasks:

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
§ Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
§ Installing a web-application firewall in front of public-facing web applications

1/year

9

9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.

1.1.6 Requirement to review firewall and router rule sets at least every six months

1/6 months

11

11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use

1/quarter

11

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

To conclude, while getting compliant gets more attention, staying compliant is where a lot of mistakes and faults (leading to data breaches) are made. As you are working on PCI DSS compliance related initiatives, make sure that staying compliant is taken just as seriously as getting to that first validation.

ABOUT THE AUTHOR:

Dr. Anton Chuvakin (http://www.chuvakin.org/) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" (second edition coming in November 2009!) and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list http://www.info-secure.org/) . His blog http://www.securitywarrior.org/ is one of the most popular in the industry.

In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups.

Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Upcoming Industry Events

CarolinaCon 11 The Last CarolinaCon As We Know It More info coming soon. CarolinaCon is an annual conference in North Carolina that is dedicated to sharing knowledge about technology, security and information rights. CarolinaCon also[...]

InfoSec World 2015 The MISTI team is excited to bring you a lineup of conference sessions, workshops and summits that address the most pressing matters in information security today. With a selection of our top-rated[...]

RSA Conference 2015 – USA Same time, same place, same humongous crowds! RSA Conference 2015 is not specifically focused on hacking, pentesting and the like, but it is the largest general information security event and[...]

THOTCON 0x6 THOTCON (pronounced \ˈthȯt\ and taken from THree – One – Two) is a small venue hacking conference based in Chicago IL, USA. This is a non-profit, non-commercial event looking to provide the best[...]

BSides Chicago 2015 Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and[...]

CEIC 2015 It’s no exaggeration to say that CEIC (Computer and Enterprise Investigations Conference) is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills[...]

OWASP AppSecEU 2015 The BeNeLux chapters will host the OWASP AppSec Europe Research 2015 global conference in Amsterdam, The Netherlands from May 19-22. Amsterdam is the capital of the Netherlands and the largest city of[...]

ShowMeCon 2015 St. Louis’ Hacking & Cyber Security Con ShowMeCon. The name says it all. Known as the Show Me State, Missouri is home to St. Louis-based ethical hacking firm, Parameter Security, and security training[...]